[Facebook Bug Bounty] How I was able to enumerate Instagram Accounts who had enabled 2FA

Instagram only used to have text messaging code based 2FA unlike supporting a better 2FA based authentication system such as Authy. It used to send a six digit code to the users mobile number after logging in with the email and password to authorize the login attempt.

After enabing 2FA for my Instagram account using Instagram’s Android application I logged out of Instagram account on Android and opened http://www.instagram.com/ via web. I tried to login to my Instagram account via web. I realized that after I entered the username and password for my account I got redirected to the 2FA page to authorize and verify the login attempt (as we had already enabled it via Android app) and it got redirected to the 2FA page to enter the six digit code which got sent to our mobile number.

I realized that if we changed our username to anything else (here it refers to any other valid Instagram username in use) We could figure out if the following Instagram account has enabled 2FA for its additional protection by comparing the body of the HTTP responses. We did not necessarily had to enter the valid six digit code which got sent to our mobile number for it to work, we could just have used any random six digits.

{"message": "Please check the security code we sent you and try again.", "status": "fail"}

Notice the HTTP response body, it shows

{"message": "Please check the security code we sent you and try again.", "status": "fail"}

This indicated to us that the current username account does use 2FA for its additional protection by enabling it. It was valid for all Instagram accounts and this was the HTTP response each type for a valid Instagram account username who had 2FA enabled